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Abstract 

A  waii-free  hierarchy  maps  object  types  to  levels  in  U  {00} ,  and  has  the  following 
property;  if  a  type  T  is  at  level  TV,  and  T'  is  an  arbitrary  type,  then  there  is  a  wait- 
free  implementation  of  an  object  of  type  T',  for  TV  processes,  using  only  registers  and 
objects  of  type  T.  The  infinite  hierarchy  defined  by  Herlihy  is  an  example  of  a  wait-free 
hierarchy.  A  wait-free  hierarchy  is  robust  if  it  has  the  following  property:  if  T  is  at  level 
TV,  and  5  is  a  finite  set  of  types  belonging  to  levels  TV  -  1  or  lower,  then  t'-.ere  is  no 
wait-free  implementation  of  an  object  of  type  T,  for  TV  processes,  using  any  number  and 
any  combination  of  objects  belonging  to  the  types  in  S.  Robustness  implies  that  there 
are  no  clever  ways  of  combining  weak  shared  objects  to  obtain  stronger  ones. 

Contrary  to  what  many  researchers  believe  [AGTV92,  AR92,  Her91a],  we  prove 
that  Herlihy’s  hierarchy  is  not  robust.  We  then  define  some  natural  variants  of  Herlihy’s 
hierarchy,  which  are  also  infinite  wait-free  hierarchies.  With  the  exception  of  one,  which 
is  still  open,  these  are  not  robust  either.  We  conclude  with  the  open  question  of  whether 
non-trivial  robust  wait-free  hierarchies  exist. 


‘Research  supported  by  NSF  grants  CCR-8901780  and  CCR-9102231,  DARPA/NASA  Ames  grant  NAG- 
2-593,  grants  from  the  IBM  Endicott  Programming  Laboratory  and  Siemens  Cotp. 
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1  Introduction 


A  concurrent  system  consists  of  asynchronous  processes  communicating  via  typed  shared 
objects  such  as  registers,  test&sets,  and  queues.  Since  any  given  system  supports  only  a 
limited  set  of  object  types  in  its  hardware,  other  useful  types  will  need  to  be  implemented 
in  software.  Thus,  implementing  an  object  of  a  given  type  using  objects  belonging  to  a 
given  set  of  types  is  a  fundamental  problem.  To  be  useful,  implementations  must  guarantee 
linearizability  [HW90]:  concurrent  accesses  on  an  implemented  object  must  appear  to  take 
effect  in  some  sequential  order.  One  way  to  ensure  linearizability  is  to  implement  shared 
objects  using  critical  sections  [CHP71].  This  approach  however  is  not  fault- tolerant:  the 
crash  of  a  process  while  in  the  critical  section  of  an  implemented  object  can  permanently 
prevent  the  remaining  processes  from  accessing  the  object.  This  lack  of  fault- tolerance  led 
to  the  concept  of  wait-free  implementations  [Lam77].  An  implementation  is  wait-free  if 
every  process  can  complete  every  operation  on  the  implemented  object  in  a  finite  number  of 
its  own  steps,  regardless  of  the  execution  speeds  of  the  remaining  processes.  In  particular,  if 
object  O  is  built  using  a  wait-free  implementation,  then  the  crash  of  some  processes  cannot 
disable  the  remaining  processes  from  completing  their  operations  on  O. 

How  feasible  are  wait-free  implementations?  It  is  known  that  registers  are  too  weak  to 
implement^  even  a  2-process  consensus  object,  i.e.,  a  consensus  object  that  is  accessed  by 
at  most  two  processes  [LAA87,  CIL87].  Test&sets  and  l-bit  read-modify-write  objects  can 
implement  a  2-process  consensus  object,  but  not  a  3-process  consensus  object  [LAA87].  3- 
valued  read-modify-write,  on  the  other  hand,  can  implement  an  A^-process  consensus  object, 
for  all  N.  These  results  indicate  that  object  types  differ  in  their  ability  to  support  wait-free 
synchronization,  and  that  there  may  be  a  way  of  ordering  them  accordingly.  This  issue  was 
addressed  in  a  seminal  paper  by  Herlihy  [Her88,  Her91b].  Following  are  some  important 
definitions  and  results  in  [Her91b]. 

1.  For  every  object  type  T,  an  object  of  type  T  can  be  implemented  for  N  processes 
using  only  registers  and  iV-process  consensus  object*:.  This  is  the  universality  result 
of  Herlihy. 

2.  For  every  iV  >  1,  (jV-t-  l)-process  consensus  object  cannot  be  implemented  using  just 
registers  and  AT-process  consensus  objects. 

3.  The  consensus  number  of  a  shared  object  O  is  the  maximum  number  N  such  that  an 
A-process  consensus  object  can  be  implemented  using  just  O  and  (any  number  of) 
registers.  Define  a  hierarchy  of  shared  objects  such  that  O  is  at  level  N  if  and  only  if 
its  consensus  number  is  N.  This  will  be  referred  to  as  Herlihy ’s  hierarchy. 

As  an  obvious  consequence  of  the  universality  result,  Herlihy ’s  hierarchy  has  the  fol¬ 
lowing  important  property:  if  an  object  O  of  type  T  is  at  level  N,  then  for  every  object  type 
T',  an  object  of  type  T'  can  be  implemented  for  N  processes  using  just  registers  and  objects 
of  type  T.  We  will  call  any  hierarchy  with  this  property  a  wait-free  hierarchy.  Thus,  in  a 

'Heieaftet  “implementation”  stands  for  “wait-free  implementation”. 
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wait-free  hierarchy  such  as  Herlihy’s,  if  an  object  O  of  type  T  is  at  level  N ,  we  can  immedi¬ 
ately  infer  that  arbitrary  wait-free  synchronization  among  N  processes  is  feasible  using  just 
registers  and  objects  of  type  T.  Notice  that  this  definition  allows  O  to  be  at  level  N  even  if 
arbitrary  wait-free  synchionization  among  more  than  N  processes  is  feasible  using  registers 
and  objects  of  the  type  of  O.  Thus,  the  level  of  an  object  in  a  wait-free  hierarchy  does 
not  reflect  the  object’s  full  potential;  it  is  only  a  lower  bound  on  the  extent  to  which  the 
object  can  support  arbitrary  wait-free  synchronization.  To  understand  the  exact  potential 
of  objects,  we  define  a  tight  wait-free  hierarchy.  In  such  a  hierarchy,  an  object  O  is  at  level 
iV  if  iV  is  the  maximum  number  of  processes  for  which  arbitrary  wait-free  synchronization 
is  feasible  using  registers  and  objects  of  the  type  of  O. 

What  other  properties  are  important  in  a  hierarchy?  We  argue  below'  that  robustness  is 
one.  A  hierarchy  is  robust  if  for  every  object  O,  the  following  holds:  if  O  is  at  level  N ,  then 
it  is  impossible  to  implement  O  for  N  processes  using  any  number  and  any  combination  of 
objects  at  levels  N  —  1  or  lower.  Robustness  guarantees  that  there  are  no  clever  ways  of 
putting  weak  objects  together  to  implement  a  strong  one.  We  now  present  an  example  to 
illustrate  the  significance  of  robustness  in  analyzing  the  power  of  shared  primitives.  Consider 
two  systems  Si  and  S2.  Suppose  that  supports  only  registers  and  testftsets,  and  S2 
supports  only  registers  with  3-register  assignment.  Herlihy  showed  that  arbitrary  wait- 
free  synchronization  is  impossible  for  3  or  more  processes  in  Si,  and  for  5  or  more  processes 
in  S2-  What  implications  do  these  results  have  on  a  third  system  S3  which  supports  both 
testftsets,  and  registers  with  3-register  assignment?  In  particular,  can  we  conclude, 
based  on  just  the  above  results,  that  arbitrary  wait-free  synchronization  among  5  processes  is 
still  impossible?  We  can,  provided  that  Herlihy’s  hierarchy  is  robust.  Otherwise  we  cannot. 
More  generally,  if  Herlihy’s  hierarchy  is  robust,  the  consensus  number  of  a  set  of  objects, 
belonging  (possibly)  to  different  types,  is  just  the  maximum  of  the  consensus  numbers  of  the 
individual  objects  in  the  set.  Thus,  robustness  reduces  the  difficult  problem  of  analyzing  the 
power  of  a  combination  of  shared  objects  to  the  simpler  problem  of  analyzing  the  power  of 
the  individual  objects.  On  the  other  hand,  if  robust  wait-free  hierarchies  do  not  exist,  then 
there  is  a  possibility  of  combining  weak  objects  to  implement  strong  ones.  In  particular, 
it  opens  up  the  possibility  of  implementing  universal  objects  from  non-universal  objects! 
Thus,  from  a  pragmatic  point  of  view,  it  would  also  be  interesting  to  prove  that  robust 
wait-free  hierarchies  do  not  exist. 

Is  Herlihy’s  hierarchy  robust?  A  study  of  this  question  with  respect  to  common  object 
types,  such  as  register,  testftset,  fetchftadd,  queue,  compareftswap,  and  sticky-bit, 
does  not  present  any  evidence  to  the  contrary.  In  fact,  many  prominent  researchers  have 
attributed  robustness  to  Herlihy’s  hierarchy  [AGTV92,  AR92,  Her91a]^  We  prove  that  it 

*[AGTV92]  states  “An  object  has  a  consensus  number  if  ^  is  the  maximum  number  of  processes  for 
which  the  object  can  be  used  to  solve  the  consensus  problem.  Thus  objects  with  higher  consensus  number 
cannot  be  deterministically  implemented  by  employing  objects  with  lower  consensus  numbers.” 

[AR92]  states  “In  fact,  Herlihy  [Her88]  describes  a  full  hierarchy  of  atomicity  assumptions,  and  proves 
that  atoms  of  a  higher  class  cannot  be  implemented  by  those  of  a  lower  class,  in  a  wait-free  fashion  in  the 
deterministic  setting.” 

[Her91a]  states  “Elsewhere  [17,  15],  we  have  shown  that  any  object  X  can  be  assigned  a  conaensuB  number, 
which  is  the  largest  number  of  processes  (possibly  infinite)  that  can  achieve  consensus  asynchronously  [13]  by 
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is  not  robust.  More  specifically,  we  present  an  object  type  Tgp  with  the  property  that  k 
objects  of  this  type,  together  with  registers,  can  implement  a  (fc  +  l)-process  consensus 
object,  but  not  a  (fc  +  2)-process  consensus  object.  In  particular,  one  Tgp  object,  with 
registers,  can  implement  a  2-process  consensus  object,  but  not  a  3-process  consensus  object. 
Thus,  by  definition,  a  Tgp  object  has  a  consensus  number  of  2,  and  is  consequently  at 
level  2  in  Herlihy’s  hierarchy.  However,  since  multiple  Tgp  objects,  with  registers,  can 
implement  a  consensus  object  for  arbitrarily  large  number  of  processes,  it  follows  from 
Herlihy’s  universality  result  that  for  all  types  T  and  all  A^,  an  object  of  type  T  can  be 
implemented  for  N  processes  using  just  registers  and  Tgp  objects.  Together  with  the  fart 
that  a  Tgp  object  is  at  level  2,  this  implies  that  Herlihy’s  wait-free  hierarchy  is  not  robust. 

Does  there  exist  a  robust  wait-free  hierarchy?  We  do  not  know  the  answer  yet.  However, 
we  define  three  natural  variants  of  Herlihy’s  hierarchy,  which  are  also  infinite  wait-free  hier¬ 
archies.  We  prove  that  two  of  these  are  not  robust.^  The  third  hierarchy,  whose  robustness 
is  still  open,  has  the  following  property:  if  it  is  not  robust,  then  there  is  no  robust  wait-free 
hierarchy.  We  bebeve  that  resolving  the  robustness  of  this  hierarchy  is  an  important  open 
problem  in  wait-free  synchronization. 

This  paper  is  the  first  to  formalize  and  study  robustness.  The  technical  arguments 
involved  in  proving  the  impossibility  result  that  k  Tgp  objects  cannot  implement  a  (fc  -f  2)- 
process  consensus  object  are  novel.  Traditional  bivalency  arguments  are  inadequate  to  prove 
such  lower  bounds. 

2  Informal  model 

A  concurrent  system  consists  of  processes  aud  shared  objects.  We  write  (Pi , . . . ,  P„;  Ox, . . . ,  On 
to  denote  a  concurrent  system  consisting  of  processes  Pi , . . . ,  P„  and  shared  objects  Oi , . . . ,  On  ■ 
Besides  a  unique  name,  every  object  has  two  attributes:  a  type  and  a  positive  integer  which 
denotes  the  maximum  number  of  processes  which  may  apply  operations  on  that  object. 
We  say  that  O  is  an  A- process  object  if  N  is  the  maximum  number  of  processes  which 
may  apply  operations  on  O.  The  type  specifies  the  behavior  of  the  object  when  operations 
are  applied  sequentially,  without  overlap.  More  precisely,  an  object  type  T  is  a  tuple  (OP, 
RES,  G),  where  OP  and  RES  are  sets  of  operations  and  responses  respectively,  and  G  is  a 
directed  finite  or  infinite  multi-graph  in  which  each  edge  has  a  label  of  the  form  (op,  res) 
where  op  €  OP  and  res  €  RES.  We  refer  to  G  as  the  sequential  specification  of  T,  and  the 
vertices  of  G  as  the  states  of  T.  Intuitively,  if  there  is  an  edge,  labeled  (op,  res),  from  state 
<7  to  state  cr',  it  means  that  applying  the  operation  op  to  an  object  in  state  cr  may  change 
the  state  to  o'  and  return  the  response  res. 

applying  operations  to  a  shared  X.  It  is  impossible  to  construct  a  non-blocking  implementation  of  any  object 
with  consensus  number  n  from  objects  with  lower  consensus  numbers  in  a  system  of  n  or  more  processes, 
although  any  object  with  consensus  number  n  is  universal  (it  supports  a  wait-free  implementation  of  any 
other  object)  in  a  system  of  n  or  fewer  processes.” 

^In  proving  this,  we  show  the  following  result  which  is  interesting  in  its  own  right.  There  exist  two  types 
such  that  (i)  Even  2-process  consensus  cannot  be  solved  using  objects  of  either  type,  and  (ii)  A^-process 
consensus  (for  all  Af)  can  be  solved  using  the  two  types  of  objects  together. 


A  sequence  5  =  {opi,resi),{op2,Tes2),-  •  .,{opi,resi)  is  legal  from  state  a  o/T  if  there 
is  a  path  labeled  5  in  G  from  the  state  a.  T  is  deterministic  if  for  every  state  a  of  T 
and  every  operation  op  €  OP,  there  is  at  most  one  edge  from  cr  labeled  (op,  res)  (for  some 
res  6  RES).  T  is  non~deterministic  otherwise.  T  is  total  if  for  every  state  aofT  and  every 
operr-tion  op  €  OP,  there  is  at  least  one  edge  from  a  labeled  (op,  res)  (for  some  res  €  RES). 
In  this  paper,  we  restrict  our  attention  to  total  types. 

An  iV-process  object  O  of  type  T  supports  the  set  of  procedures  kpply(P„op,0), 
for  all  1  <  t  <  A  and  op  ^  OP(T).  A  process  P  invokes  operation  op  on  object  O 
by  calling  Apply(P,  op,  O),  and  executes  the  operation  by  executing  this  procedure.  The 
operation  completes  when  the  procedure  terminates.  The  response  for  an  operation  is  the 
value  returned  by  the  procedure.  We  denote  the  event  of  P  invoking  operation  op  on  O  by 
inv(P,op,0),  and  the  event  of  O  returning  a  response  u  to  P  by  resp(P,v,0). 

The  type  of  an  object,  by  itself,  is  not  sufficient  to  characterize  the  behavior  of  the 
object  in  the  presence  of  concurrent  operations.  To  characterize  such  behavior,  we  use  the 
concept  of  linearizability  (HW90].  Roughly  speaking,  linearizability  requires  every  opera¬ 
tion  execution  to  appear  to  take  effect  instantaneously  at  some  point  in  time  between  its 
invocation  and  response.  We  make  it  more  precise  below. 

Consider  a  concurrent  system  S  =  (Pl,P2^^  •  -  ,  Pni0i,02,  ■  ■  ■  ,Om)‘  A  configuration 
of  5  is  a  tuple  consisting  of  the  states  of  the  processes  P\,...,Pn  and  the  states  of  the 
objects  Oi, . .  .,0m-  An  execution  £  of  .S  is  a  sequence  Co, eo,Ci,ei,C2,e2»  ■  •  where  Ci's 
are  configurations  of  <5,  Co  is  the  initial  configuration,  e^’s  are  events,  and  C,+i  is  the 
configuration  that  results  when  event  e,  occurs  in  configuration  Cj.  The  history  in  E  is  the 
subsequence  of  events  in  E.  The  history  of  object  O  in  E  is  the  subsequence  of  events  of 
O  in  E.  If  e  and  e'  are  two  events  in  a  history  ff,  we  write  e  <//  e'  if  e  is  before  e'  in 
E.  A  complete  operation  in  is  a  pair  of  events  in  H  —  an  invocation  and  its  matching 
response.  An  incomplete  operation  in  H  is  an  invocation  that  hzis  no  matching  response. 
H  is  complete  if  it  has  no  incomplete  operations.  If  op  and  op'  are  two  operations  in  F,  we 
write  op  <}j  op'  if  the  response  of  op  is  before  the  invocation  of  op'  in  H.  Two  operations 
op  and  op'  are  concurrent  if  neither  op  <ij  op'  nor  op'  <n  op.  H  is  sequential  if  it  has  no 
concurrent  operations. 

Let  JET  be  a  history  of  object  O.  A  linearization  of  A  is  a  complete  sequential  history 
S  with  the  following  properties: 

1.  S  includes  every  complete  operation  in  H. 

2.  Let  inv(Pi,op,0)  be  an  invocation  in  H  with  no  matching  response  (and  is  thus  an 
incomplete  operation).  Then,  either  5  does  not  include  this  incomplete  operation  or 
S  includes  a  complete  operation  (inv(Pi,op,0),Tesp(Pi,v,0))  for  some  v. 

Intuitively,  this  captures  the  notion  that  some  incomplete  operations  in  H  had  a 
“visible”  effect,  while  the  others  did  not. 

3.  5  includes  no  operations  other  than  the  ones  mentioned  in  1  or  2. 

4.  For  all  operations  op,  op'  in  S,  if  op  <u  op'  then  op  <5  op' . 
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Thus,  the  order  of  non-overlapping  operations  in  H  is  preserved  in  S. 


Notice  that  a  given  history  may  have  several  linearizations.  A  history  H  of  object  O  is 
linsarizable  with  respect  to  type  T,  initialized  to  state  a,  if  H  has  a  linearization  'vhich  is 
legal  from  state  cr  of  T. 

Processes  are  asynchronous:  there  are  no  bounds  on  the  relative  speeds  of  processes. 
Furthermore,  a  process  may  crash:  a  process  may  stop  at  an  arbitrary  point  in  an  execution 
and  never  take  any  steps  thereafter.  A  process  is  correct  in  an  execution  E  if  it  does  not 
crash  in  E.  We  assume  that  every  correct  process  has  an  infinite  number  of  events  in  an 
infinite  execution.  An  object  O  is  wait-free  in  an  execution  E  if  either  (i)  E  is  finite,  or  (ii) 
every  invocation  on  O  from  a  process  that  does  not  crash  in  E  has  a  matching  response. 

Let  T  be  an  object  type  and  C.  —  (Ti,T2,...)  be  a  (possibly  infinite)  list  of  (not 
necessarily  distinct)  object  types.  Let  E  =  (<Ti,£r2,. . .)  be  a  list  where  a,  is  a  state  of  type 
Tf.  An  implementation  ofT,  initialized  to  state  o,  from  (£,  E)  for  N  processes  is  a  function 
I(0i,02, . . .)  such  that  if  0i,02,  •  •  •  are  iV-process  objects  of  type  Ti,T2,...,  initialized  to 
states  0-1, £r2,...,  respectively,  then  O  =  J(0i,02,...)  is  an  A^-process  object  of  type  T, 
initialized  to  a.  Intuitively,  X{0\,02,  -  ■ )  returns  a  set  of  procedures  Apply(P,,  op,  O),  for 
\  <  i  <  N  and  op  €  OP{T).  Apply  {Pi,  op,  O)  specifies  how  process  P,  should  “simulate” 

the  operation  op  on  O  in  terms  of  operations  on  0i,02, _  We  say  C7  is  a  derived  object 

of  the  implementation  1,  and  0\,02, . .  .,0n  are  the  base  objects  of  O. 

We  say  that  X  is  an  implementation  of  T,  initialized  to  state  a,  from  a  set  S  of  types 
for  N  processes  if  there  is  a  list  C  =  {T\,T2, . . .)  of  types  and  a  list  E  =  {<ri,(T2, . . .)  of  states 
such  that  Ti  6  S,  ffi  is  a  state  of  T,,  and  X  is  an  implementation  of  T,  initialized  to  o,  from 
(£,  E)  for  N  processes.  We  say  that  a  type  T  has  an  implementation  from  a  set  S  of  types 
for  N  processes  if  for  every  state  cr  of  T,  there  is  an  implementation  of  T,  initialized  to  o, 
from  S  for  N  processes. 

An  implementation  is  wait-free  if  it  has  the  following  property:  if  all  base  objects  are 
wait-free  in  an  execution  E,  then  the  derived  object  is  wait-free  in  E.  Hereafter  when  w'e 
write  “implementation”,  it  stands  for  “wait-free  implementation”. 

We  now  define  consensus  and  register  —  two  object  types  that  appear  frequently 
in  this  paper.  Type  consensus  supports  two  operations:  propose(O)  and  propose(l).  The 
sequential  specification  of  consensus  is  in  Figure  1.  From  the  specification,  it  is  clear  that  a 
consensus  object  O  has  the  following  properties:  (i)  If  O  returns  a  response  v,  then  there  is 
an  invocation  of  propose(t;)  preceding  this  response,  and  (ii)  O  returns  the  same  response 
to  all  operations.  These  are  known  as  the  validity  and  agreement  properties,  respectively,  of 
a  consensus  object.  Sometimes  we  refer  to  the  consensus  problem  for  processes  Pi,  P2, . .  ■  Pn- 
This  problem  is  stated  as  follows.  Each  process  Pi  is  initially  given  a  binary  input  u,.  Each 
correct  process  Pi  must  eventually  decide  a  value  d,  such  that  (i)  d,  €  {ui,  t;2, . . . ,  u„},  and 
(ii)  VI  <  i,j  <  n  :  di  =  dj.  These  two  conditions  are  commonly  referred  to  as  the  validity 
and  agreement  requirements  of  the  consensus  problem. 

Type  register  supports  the  operations  {read}  U  {write(u)li;  >  0),  and  has  the  se¬ 
quential  specification  given  in  Figure  2. 
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OP  =  {propose(T;)|v  €  {0, 1}} 
Object  State; 

xe  {1,0,1} 

propose(t}) 

if  X  —  1  then 
X  :=v 
ret  urn  (A') 


Figure  1:  Sequential  specification  of  consensus 


OP  =  {read}  U  {write(u)jr  >  0} 
Object  State: 

X  €  {0,1,2,...} 

read() 

return(A') 

srite(v) 

X  :=v 
ietuin{ack) 


Figure  2:  Sequential  specification  of  register 


3  Hierarchy  Preliminaries 

A  hierarchy  of  shared  types  is  a  function  that  maps  object  types  to  levels  in  { 1  ,2,3,...}U 
{oo}.  An  object  type  T  is  at  level  /  in  hierarchy  h  if  h{T)  =  1.  A  hierarchy  is  non-trivial 
if  it  has  at  least  two  non-empty  levels.  An  object  ‘ype  T  is  universal  for  N  processes  if 
for  every  type  T',  there  is  an  implementation  of  T'  from  {T,  register}  for  A  processes.  T 
is  universal  {for  oo  processes)  if  for  all  JV,  T  is  universal  for  N  processes.  A  hierarchy  h 
is  a  wait-free  hierarchy  if  for  all  T,  h{T)  —  N  implies  that  T  is  universal  for  N  processes. 
Thus,  in  a  wait-free  hierarchy,  the  level  of  T  is  a  lower  bound  on  the  number  of  processes 
for  which  T  (together  with  registers)  can  support  arbitrary  wait-free  synchronization.  The 
following  proposition  is  immediate  from  the  definition. 
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Proposition  3.1  If  h  is  a  wait-free  hierarchy,  and  h'  is  a  hierarchy  such  that  VT  :  h'(T)  < 
h{T),  then  h'  is  a  wait-free  sirchy. 

Proposition  3.2  If  h  a  wait-free  hierarchy,  then  /i(regiater)  =  1.  Thus,  level  1  of  any 
wait-free  hierarchy  is  non-empty. 

Proof  There  exist  object  types  (for  example,  queue)  which  have  no  implementation  from 
regi.''  ,er  for  two  or  more  processes  [Her91b].  Thus,  register  must  be  at  level  1  in  any 
wait-free  hierarchy.  □ 

From  Proposition  3.1,  it  is  clear  that  there  can  be  “slack”  in  a  wait-free  hierarchy. 
This  motivates  us  to  define  tightness.  A  wait-iree  hierarchy  h  is  tight  if  for  every  wait-free 
hierarchy  h'  and  every  type  T,  h{T)  >  h'(T).  A  wait-free  hierarchy  is  fully-refined  if  for  all 
levels  k  £  {1, 2, 3, . . .}  U  {oo},  there  is  some  type  in  level  k.  A  wait-free  hierarchy  h  is  robust 
if  for  every  type  T  and  every  finite  set  S  of  types,  if  h{T)  —  N  and  VT'  €  S  :  h(T')  <  N , 
then  there  is  no  implementation  of  T  from  S  for  N  processes.  The  reader  should  note  the 
difference  between  tightness  and  robustness.  The  trivial  wait-free  hierarchy  which  maps 
every  object  type  to  level  1  is  obviously  robust,  but  not  tight.  The  wait-free  hierarchy 
(to  be  defined  soon)  is  tight,  but  it  is  not  known  whether  it  is  robust. 

In  the  remainder  of  this  section,  we  define  some  natural  wait-free  hierarchies,  and  high- 
fight  some  simple  properties  of  these  hierarchies.  In  the  following  definitions,  the  subscript 
indicates  whether  the  definition  allows  just  1  or  many  objects  of  the  argument  type.  The 
superscript  r  indicates  that  the  definition  allows  the  use  of  registers. 

1.  hi(r)  =  maximum  number  of  processes  for  which  a  consensus  object  can  be  imple¬ 
mented  using  just  a  single  object  of  type  T.  If  there  is  no  such  maximum,  then 
hi(T)  =  oo. 

2.  hj(T)  =  maximum  number  of  processes  for  which  a  consensus  object  can  be  imple¬ 
mented  using  just  a  single  object  of  type  T  and  any  number  of  registers.  If  there  is 
no  such  maximum,  then  hj(T)  =  oo. 

Notice  that  this  is  Herlihy’s  hierarchy. 

3.  h*(T)  =  maximum  number  of  processes  for  which  a  consensus  object  can  be  imple¬ 
mented  using  any  number  of  objects  of  type  T.  If  there  is  no  such  maximum,  then 
h»(7’)  =  oo. 

4.  hj(r)  =  maximum  number  of  processes  for  which  a  consensus  object  can  be  imple¬ 
mented  using  any  number  of  objects  of  type  T  and  any  number  of  registers.  If  there 
is  no  such  maximum,  then  hJ(T)  =  oo. 

Proposition  3.3  Each  o/hi,h|,  hB,hJ  is  a  fully-refined  wait-free  hierarchy. 

Proof  Herfihy’s  universality  result  trivially  implies  that  these  are  wait-free  hierarchies. 
That  these  are  fully-refined  follows  from  the  easy  observation  that  Vh  6  {hi,h[,h,,hj}  and 
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OP  =  {propose(i>)|t>  G  {0, 1}} 
Object  State: 

A  €  {-L,  0, 1} 

N  €  {0,1,2,...} 

propose(v) 
iV  :=  iV  4-  1 
if  A'  =;  ±  then 
A'  :=  i- 

if  N  <  k  then 
return(A') 
else  return(±) 


Figure  3:  Sequential  specification  of  k-cons 


k  €  {1,2, 3, . .  .}U{oo},  h{k-coD.s)  =  k.  (See  Figure  3  for  the  definition  of  the  type  Ar-cons.) 

□ 


Proposition  3.4  hj(r)  =  N  <  oo  if  and  only  if  T  is  universal  for  N  processes,  but  not 
for  iV  4-  1  processes.  hJ(T)  =  oo  »/  and  only  if  T  is  universal. 

Proposition  3.5  If  h  is  a  tight  wait-free  hierarchy,  then  h  —  hj.  In  other  words,  hj  is  the 
unique  wait-free  hierarchy  which  is  tight. 

The  hierarchy  is  uniquely  important  in  the  study  of  robust  wait-free  hierarchies.  To 
formally  state  this,  we  need  a  definition.  Let  a  =  {hJa,---)  be  a  finite/infinite  sequence 
such  that  1  =  li  <  h  <  h...  and  li  €  {1,2,3,...}  U  {oo}.  We  say  ir  is  a  coarsening  of 
hierarchy  h  with  respect  to  a  if,  for  all  object  types  T,  we  have: 

1.  If  ii  <  h{T)  <  /,+i,  then  g{T)  =  /,■- 

2.  If  U  <  HT)  and  /,  is  the  last  element  of  a,  then  g{T)  - 

3.  If  h{T)  =  00  and  <t  is  infinite,  then  g{T)  —  oo. 

Intuitively,  levels  /,  ...  {li+i  —  1)  in  h  are  lumped  into  level  h  of  g,  causing  levels 
(/j  4-  1)  ...  (1,4-1  —  1)  to  be  empty  in  g.  We  say  <7  is  a  coarsening  of  a  hierarchy  h  if  there  is 
a  cr  of  the  form  1  =  l\  <  I2  <  h  -  such  that  g  is  a  coarsening  of  h  with  respect  to  <r.  It  is 
obvious  that  if  h  is  a  wait-free  hierarchy,  so  is  every  coarsening  of  h. 

Theorem  3.1  If  h  is  a  robust  wait-free  hierarchy,  then  h  is  a  coarsening  of  14. 
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Proof  Assume  that  h  is  a  robust  wait-free  hierarchy,  and  is  not  a  coarsening  of  h^.  Let 
a  =  •  ■  Oj  where  I  =  li  <  I2  <  I3.  ■ .  are  all  the  non-empty  levels  of  h.  Define  g  to  be 

the  coarsening  of  hj  with  respect  to  <t.  From  our  assumption  that  h  is  not  a  coarsening  of 
hj|,  it  follows  that  h  g.  Thus,  there  is  a  type  T  such  that  h(T)  ^  g{T).  Let  m  =  h{T) 
and  n  =  g{T).  By  definition  of  g,  a  level  k  g  is  non-empty  if  and  only  if  level  k  of  h 
is  non-empty.  Together  with  m  jL  n,  this  implies  that  there  exist  types  T'  and  T",  each 
different  from  T,  such  that  p(T')  =  m  and  h{T")  =  n.  Since  m  ^  n,  we  are  left  with  two 
cases  to  consider. 

1.  m  <  n. 

Since  g{T)  =  n,  it  follows  that  hJ(T)  >  n.  Thus,  by  Proposition  3.4,  T  is  universal  for 
n  processes.  In  particular,  there  is  an  implementation  of  T"  from  {T,  register}  for 
n  processes.  Since  h{T)  =  m  <  n  ~  h(T"),  h  is  not  robust.  This  is  a  contradiction. 

2.  m  >  n. 

From  the  above,  g{T')  =  m.  Thus,  level  m  of  j  is  not  empty.  This,  together  with 
m  >  n,  implies  that  n  <  hJ(T)  <  m.  This  implies,  by  Proposition  3.4,  that  T  is 
not  universal  for  m  processes.  Since  h{T)  =  m,  it  follows  that  h  is  not  a  wait-free 
hierarchy.  This  is  a  contradiction. 

This  completes  the  proof  of  the  ♦^heorem.  □ 

What  can  we  say  about  the  robustness  of  hi,hj,  and  h*?  This  question  is  addressed 
by  the  following  proposition. 

Proposition  3.6  Let  h  6  {hi,hi,hB}.  ///i  5^  hj,  then  h  is  neither  tight  nor  robust. 

Proof  Proposition  3.5  implies  that  h  is  not  tight.  Theorem  3.1  and  Proposition  3.3  imply 
that  h  is  not  robust.  □ 

Does  one  of  hi,hj,  and  h»  define  the  same  hierarchy  as  h^?  The  answer  is  not  easy.  For 
instance,  h[  differs  from  hj  if  and  only  if  there  is  a  type  such  that  multiple  objects  of  this 
type  (together  with  registers)  can  solve  consensus  among  a  larger  number  of  processes  than 
a  single  object  (together  with  registers)  can.  Does  such  a  type  exist?  No  common  object 
type  exhibits  such  a  property  and,  hence,  it  is  a  non-trivial  question.  Similarly,  differs 
from  hj  if  and  only  if  there  is  a  type  such  that  the  use  of  registers  increases  the  number 
of  processes  for  which  consensus  can  be  solved  using  objects  of  this  type.  Again,  common 
object  types  do  not  exhibit  this  property,  making  it  difficult  to  answer  whether  such  types 
exist. 

In  the  rest  of  the  paper,  we  prove  that  each  of  hi,hi,  and  ha  differs  from  h^.  Thus, 
none  of  hi,hi,  and  h*  is  robust.  In  particular,  hj,  which  is  the  same  as  Herlihy’s  wait-free 
hierarchy,  is  not  robust.  Unfortunately,  we  do  not  yet  know  whether  hj  or  some  coarsening 
of  It  is  robust.  This  is  an  important  open  question.  We  hope  that  the  ideas  employed  in 
this  paper  would  provide  useful  insights. 
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Figure  4:  Object  type  Teticky 


4  On  the  robustness  of  hf  (Herlihy’s  hierarchy) 

The  main  result  of  this  section  is  that  hj  is  not  robust.  We  prove  this  result  by  presenting 
an  object  type  Tap  with  the  following  property:  n  Tap  objects,  together  with  registers,  can 
implement  a  consensus  object  for  n  +  1  processes,  but  not  for  n  +  2  processes.  This  implies 
hi(Tap)  =  2  and  hJ(Tap)  =  oo.  Thus,  hj  ^  hj,  and  by  Proposition  3.6,  h^  is  not  robust. 

Consider  the  object  type  Taticky  in  Figure  4.  It  supports  two  operations,  L-op  and 
R-op,  and  responds  with  either  L-first  or  R-first.  If  L-op  is  applied  on  a  Taticky  object 
O,  initialized  to  state  Sx,  O  changes  state  to  Si  and  returns  L-first  as  the  response. 
Furthermore,  O  returns  L-first  to  all  subsequent  operations,  reflecting  the  fact  that  L-op 
was  the  first  operation  applied  on  O.  The  behavior  is  symmetric  if,  instead  of  L-op,  R-op 
was  the  first  operation  applied  on  O.  In  essence,  the  first  operation  “sticks”  to  O  and 
determines  the  response  for  all  operations.  Notice  that  Taticky  1^  similar  to  the  consensus 
[Her91b]  and  sticky-bit  [Plo89]  object  types. 

Now  consider  the  type  Tap,  a  variant  of  Taticky*  shown  in  Figure  5.  Tap  lacks  the 
symmetry  of  Taticlcy^  If  R~op  is  applied  to  a  Tap  object  O,  initialized  to  5j.,  R-op  sticks  to 
O  as  before.  However,  as  soon  as  R-op  is  applied  for  the  second  time,  it  “unsticks”  and  O 
starts  behaving  as  though  it  had  been  stuck  with  L-op  all  along.  The  following  is  a  trivial 
consequence  of  the  definition  of  Tap. 

Lemma  4.1  Let  O  be  an  object  of  type  Tap  initialized  to  S^.  Let  E  be  an  execution  in 
which  R-op  is  applied  at  most  once  on  O.  Then,  the  following  statements  are  true  in  E. 

1.  If  r\  and  r2  are  the  responses  to  any  two  operations  on  O,  then  ri  =  r2. 

2.  IfO  returns  a  response  D-first  {D  6  {L,R}),  then  an  invocation  o/D-op  precedes  this 
response. 


4.1  Implementing  consensus  from  {Tap,  register}  —  upper  bound 

In  this  section,  we  show  how  to  implement  a  consensus  object  for  n  processes  using  (n  —  1) 
Tap  objects  and  2(n  -  1)  registers.  Our  implementation  is  recursive.  Let  Jj  denote  the 
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{R~op,  L-first) 


Figure  5:  Object  type  Tgp 


On-\'  consensus  object  for  derived  from  In~\ 

Oap‘-  T»p  object,  initialized  to  5x 
L,R-.  binary  registers 


Apply(f.-,  propose  Vj,  0„)  (for  1  <  t  <  n  -  1)  Apply(P„,  propose  Vn,  On) 


1.  L  :=  Apply(Pj,  propose  Vi,  C7„_i) 

2.  if  Apply (P,-,  L-op,  Oap)  =  L~first 

3.  return(i) 

4.  else  return(P) 


R  v„ 

if  Apply(Pn,  P-op,  0,p)  =  L-first 
return(P) 
else  return(P) 


Figure  6:  Implementing  consensus  with  Tgp  and  register 

implementation  of  consensus  from  {Tap, register)  for  processes  Pi,  P2,  •  • The  base 
case  is  to  derive  Ji,  implementation  of  consensus  for  the  single  process  P],  and  is  trivial: 
if  Oi  is  a  derived  object  of  Ii,  Apply(Pi,  propose  vy,  Oi)  simply  returns  Ui.  The  recursive 
step  of  deriving  2„  from  I„_i  is  presented  in  Figure  6. 

Lemma  4.2  The  implementation  In  tn  Figure  6  is  a  correct  implementation  of  consensus 
from  {Tap, register}  for  processes  Pi,P2, . . .,P„.  2„  requires  (n  -  1)  objects  of  type 
and  2(n  -  1)  registers. 

Proof  We  prove  the  correctness  of  1^  by  induction.  The  following  is  the  induction  hy¬ 
pothesis:  for  1  <  j  <  n  —  1,  Ij  is  a  correct  implementation  of  consensus  for  processes 
Pi,P2, . . .,  Pj.  The  base  case,  namely,  that  Ii  (described  above)  is  a  correct  implementa¬ 
tion  of  consensus  for  Pi,  is  obvious.  The  induction  step  is  proven  through  several  simple 
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claims.  Let  On  be  a  derived  object  of  I„.  Consider  an  execution  E  of  the  concurrent  sys¬ 
tem  (Pi,P2, . . . ,  Pn,  On)-  Assume  that  each  P,  executes  Apply(F,,  propose  f,.  On)  at  most 
once  in  We  make  the  following  claims  about  E.  The  proof  of  each  claim  follows  its 
statement. 

Cl.  For  D  €  the  following  holds: 

1.  Every  process  that  writes  the  register  D,  writes  the  same  value  V  in  D. 

2.  1{  D  =  L,V  £  Otherwise,  V  =  n„. 

For  D  =  R,  the  claim  is  obvious  since  only  P„  writes  R.  For  D  —  L,  the  claim  follows 
from  the  agreement  and  validity  properties  of  On-\- 

C2.  Some  process  completes  a  write  on  D  before  any  process  receives  the  response  D- first 
from  Oa-p. 

By  Lemma  4.1,  some  process,  say  invokes  D-op  before  any  process  receives  the 
response  D-first.  By  the  implementation,  this  process  P*  will  have  completed  a  write 
on  the  register  D  before  invoking  D-op  on  Ogp. 

Consider,  for  arbitrary  i,j  and  i  ^  j,  the  executions  of  Apply(P,,  propose  Vi,  On) 
and  Apply(i^,  propose  Vj,  On)  in  E.  By  x/cmma  4.1,  the  responses  received  by  P,  and  Pj 
from  Oap  (in  Statement  2  of  their  respective  executions)  are  the  same.  Let  D-first  be  this 
response  (for  some  D  €  {L,  P}).  Thus,  in  Statement  3,  both  Apply(Pi,  propose  v,,  On) 
and  Apply(Pj,  propose  Vj,  On)  read  and  return  the  value  in  the  register  D.  From  Claims 
C2  and  Cl,  it  follows  that  both  Apply(Pj,  propose  v,.  On)  and  Apply(Pj,  propose  vj,  On) 
read  the  same  value  V  m  D  and  that  V  €  {vi,  V2, . . Vn}-  Thus,  the  value  returned  by 
both  Apply(Pi,  propose  v,,  C?„)  and  Apply(Pj,  propose  Vj,  On)  is  the  same  and  is  from 
{vi,  V2, . . . ,  Vn}.  It  is  obvious  that  the  implementation  is  wait-free.  Hence  the  lemma.  □ 

Corollary  4.1  hJ(TBp)  =  oo. 

4.2  Implementing  consensus  from  {Tgp,  register}  —  lower  bound 

The  main  technical  result  of  this  section  states  that  any  solution  to  n-process  wait-free 
consensus  using  Tgp  objects  and  registers  requires  at  least  n  —  1  Tsp  objects,  regardless  of 
how  many  registers  are  available.  We  prove  this  result  by  reducing  the  “1-resilient  consensus 
problem  for  n  processes  communicating  via  registers®”  to  the  “wait-free  consensus  problem 
for  n  processes  communicating  via  registers  and  (n  — 2)  T*p  objects”.  The  former  problem  is 
impossible  to  solve  {LAA87].  Hence  the  impossibility  of  the  latter.  The  reduction  is  based 
on  the  novel  concept  of  k-trap  implementations. 

‘This  is  not  a  limitation  foi  the  follo-ving  reason.  After  P,  executes  Apply(P,  propose  v,,  On)  once,  it 
can  record  the  return  value  in  its  local  variable.  Thereafter,  when  P,  needs  to  apply  a  propose  operation  on 
On,  it  may  simply  return  the  value  of  this  local  variable  as  the  response.  This  strategy  works  because  On 
is  a  consensus  object,  and  therefore  must  return  the  same  response  to  every  invocation. 

protocol  is  k-resi/ient  if  it  meets  the  problem  specification  despite  the  crash  of  k  or  fewer  processes. 
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4.2.1  k-trap  implementations 

An  implementation  for  processes  Pi,  P2, . . . ,  Pn  is  a  k-trap  implementation  if  every  de¬ 
rived  object  O  of  the  implementation  has  the  following  property;  in  any  execution  of 
{P\,P2i-  •  -yPn'iO),  regardless  of  the  relative  execution  speeds  of  processes,  ail  but  up  to  k 
correct  processes  will  be  able  to  eventually  complete  their  operations  on  O.  In  other  words, 
O  appears  wait-free  to  all  but  up  to  k  correct  processes. 

We  now  contrast  A:-trap  implementations  with  the  familiar  wait-free,  non-blocking, 
and  critical-section  based  implementations.  Critical-section  based  implementations  and 
non- blocking  implementations  (for  n  processes)  are  both  (n  -  l)-trap  implementations.  A 
critical-section  based  implementation  is  (n—  I)-trap  because  the  crash  of  a  single  process  in 
the  critical  section  blocks  the  remaining  (n  —  1)  processes.  A  non-blocking  implementation 
is  (n  —  l)-trap  because  repeated  execution  of  operations  by  one  process  could  cause  the 
remaining  processes  to  block.  The  converse  does  not  hold:  an  (n  -  l)-trap  implementation 
does  not  guarantee  the  properties  of  either  a  critical-section  based  implementation  or  a  non- 
blocking  implementation.  To  see  this,  suppose  that  exactly  one  process,  say  P,  attempts 
to  access  the  object,  and  suppose  that  P  is  correct.  In  the  case  of  a  critical-section  based 
implementation  or  a  non-blocking  implementation,  P  is  guaranteed  to  complete  its  operation 
on  the  object.  But  in  a  A:-trap  implementation  (k  >  1),  P  may  block.  Finally,  note  that  a 
0-trap  implementation  is  the  same  as  a  wait-free  implementation. 

The  following  lemma  establishes  the  utility  of  l;-trap  implementations  in  proving  lower- 
bounds. 

Lemma  4.3  Let  T  be  any  object  type  such  that  for  every  state  a  of  T,  there  is  a  1-trap 
implementation  Xg  of  T,  initialized  to  or,  from  register  for  n  processes.  Then,  any  wait- 
free  implementation  of  consensus  from  {T,  register)  for  n  processes  requires  at  least  n  —  1 
objects  of  type  T  {regardless  of  how  many  registers  it  uses). 

Proof  Suppose  that  the  lemma  is  false,  and  there  is  a  wait-free  implementation  J  of 
consensus  from  {T,  register)  for  n  processes  such  that  J  requires  only  n-2  objects  of  type 
T,  initialized  to  states  ,  02, . . . ,  (Tn-2  of  T,  and  m  registers  (for  some  m  >  0).  Consider  the 
protocol  V  in  Figure  7,  Clearly,  processes  communicate  exclusively  via  registers  in  protocol 
P.  We  argue  below  that  P  solves  the  consensus  problem  for  processes  Pi,  P2, . . .,  P„  even 
if  (at  most)  one  of  the  processes  may  crash.  By  the  impossibility  result  in  (LAA87],  such  a 
protocol  does  not  exist.  Hence  the  lemma. 

We  claim  that  at  most  (n  —  2)  processes  block  on  O.  This  follows  from  the  following 
facts: 

1.  n  —  2  base  objects  of  O  are  l-trap.  So  at  most  one  process  blocks  on  each  of  these. 

2.  No  process  blocks  on  the  remaining  base  objects  of  O,  the  registers  Ri,  R2, . .  ■ ,  Rm- 

3.  O  is  derived  from  a  wait-free  implementation. 
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1.  For  1  <  i  <  n  -  2,  use  to  implement  an  object  0,  of  type  T  initialized  to  state  cr;. 

2.  Use  3  to  implement  a  consensus  object  O  from  0i,02>  •»0n-2  and  registers 

•^1)  -^2)  •  •  •  1  Rm- 

3.  Let  Z?  be  a  3-valued  register  initialized  to  -L. 

4.  For  1  <  I  <  n,  let  n,  be  the  binary  input  value  of  process  P,  for  consensus.  Process  P, 
executes  the  following  procedure.  We  require  that  statements  1  and  2  are  executed  in 
a  fair  manner. 


cobegin 

1.  £}  :=  Applj(Pi,  propose  v^,  O) 

2.  repeat  until  (Z)  ^  ±). 
decide  D 

coend 


Figure  7:  1-resilient  consensus  protocol  V  for  n  processes 


Therefore,  if  at  most  one  of  Pi,P2, ...,Pn  crashes,  there  is  still  one  process,  call  it 
Pjt,  that  neither  crashes  nor  blocks  on  O.  This  process  P*  eventually  writes  the  response, 
call  it  U,  returned  by  Apply(Pfc,  propose  v^,  O)  in  register  D.  Since  O  satisfies  validity, 
we  have  V  €  {vi,  >  Vn}.  Since  O  satisfies  agreement,  no  process  ever  writes  a  value 
different  from  V  in  register  D.  Since  Statements  1  and  2  are  executed  in  a  fair  manner, 
every  non-crashing  process  eventually  reads  V  and  decides  V.  In  other  words,  V  solves  the 
consensus  problem  for  Pi,  P2, . . .  ,Pn  even  if  at  most  a  single  process  may  crash.  □ 

4.2.2  1-trap  implementation  of  Tsp 

Recall  that  T,p  has  three  states  -  Ss_,Sl,  and  Sr.  We  now  present  a  1-trap  implementation 
of  Tap  initialized  to  5x,  and  0-trap  implementations  of  Tap  initialized  to  Si  or  Sr.  These 
implementations  use  only  registers  as  base  objects.  Thus,  by  Lemma  4.3,  we  have  the 
desired  lower  bound. 

A  l-trap  implementation  of  Tap,  initialized  to  5x,  from  r>'gi8ter  for  n  processes  is 
presented  in  Figure  8.  This  implementation  is  subtle.  We  present  below  an  informal  and 
intuitive  argument  of  its  correctness  before  proceeding  to  give  the  formal  proof.  Consider 
O,  a  Tap  object  derived  from  this  implementation.  Let  H  he  &  history  of  O,  and  let  first-op 
denote  the  first  operation  to  complete  in  H.  There  are  two  cases.  Case  (1)  corresponds 
to  first-op  being  an  L-op  operation.  Consider  the  linearization  5  which  includes  only  the 
complete  operations  in  E  and  sequences  them  in  the  order  of  their  completion  times.  Thus, 
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J?[l . .  .n]:  binary  (l-wnter,  n-reader)  registers  initialized  to  0 


Apply(fi,  L-op,  O) 


Apply(P.,  R-op,  O) 


TQtuTu{L-first) 


1.  if  (Vfc  :  R[k]=  0)  then 

2.  R\i]  :=  1 

3.  repeat  until  (3j  <  i  :  R[j]=  1) 

4.  return(I-^rst) 


Figure  8:  l-trap  implementation  of  Tap,  initialized  to  S±,  from  register 


first-op^  which  is  an  L-op  operation,  becomes  the  the  first  operation  in  5.  Furthermore, 
the  response  of  every  operation  in  5  is  L-first  (this  is  obvious  from  the  implementation). 
IVom  the  sequential  specification  of  Tap  in  Figure  5,  it  is  obvious  that  5  is  legal  from 
the  state  Si  of  Tap.  Now  consider  Case  (2),  which  corresponds  to  first-op  being  an  R-op 
operation.  The  key  observation  is  that  if  first-op,  which  is  an  R-op  operation,  completed  in 
H,  then  by  our  implementation,  there  must  be  another  R-op  operation,  call  it  blocked-op, 
from  a  different  process  which  is  concurrent  with  first-op  and  is  blocked.  Let  us  pretend 
that,  although  incomplete,  blocked-op  indeed  taken  effect  in  H,  and  has  R- first  for  its 
response.  Consider  the  linearization  5  which  sequences  blocked-op  first,  first-op  second,  and 
the  remaining  complete  operations  in  H  in  the  order  of  their  completion  times,  {blocked- 
op  can  be  linearized  before  first-op  since  these  two  operations  are  concurrent.)  Thus  the 
first  operation  in  the  linearization  5  is  a  R-op  operation  with  R-first  as  the  associated 
response.  The  second  operation  in  the  linearization  is  also  an  R-op  operation,  and  has 
L-first  as  the  associated  response.  The  remaining  operations  in  the  linearization  have  L- 
first  as  their  response.  From  the  sequential  specification  of  Tap  in  Figure  5,  it  is  obvious 
that  this  linearization  S  is  legal  from  the  state  Sx  of  Tap.  Hence  the  correctness  of  our 
implementation.  We  formalize  the  above  arguments  and  present  a  more  rigorous  proof  of 
correctness  below.  The  proof  is  based  on  a  series  of  claims. 

Claim  4.1  The  implementation  is  1-trap. 

Proof  Clearly,  a  correct  process  P,  blocks  if  and  only  if  the  repeat  ■  ■  •  until  loop  (Statement 
3  of  Apply(P;,  R-op,  O))  never  terminates.  By  Statement  2,  such  a  Pi  will  have  written  the 
value  1  into  /Z[i]. 

Suppose  that  the  claim  is  false,  and  two  correct  processes  P,  and  Pj  (assume  j  <  i)  block 
on  O.  It  follows  that  P[i]  =  R\j]  =  1  and  each  of  Pj  and  Pj  is  caught  in  the  repeat  •  •  •  until 
loop  that  never  terminates.  Process  P,  eventually  notices  that  P[j]  =  1,  and  since  j  <  i,  Pi 
quits  the  repeat  •  •  •  until  loop,  and  returns  L-first.  This  contradicts  the  assumption  that  Pi 
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blocks  on  O. 


a 


The  next  claim  asserts  that  if  a  process  Pi  successfully  completes  an  R-op  operation 
on  O,  then  a  different  process  Pj  is  already  blocked,  unable  to  complete  its  R-op  operation 
on  O. 

Claim  4.2  Let  E  be  an  execution  of  {Pi,  P2,  ■  • Pn^O),  and  H  be  the  corresponding  his¬ 
tory.  Suppose  that  H  contains  the  two  events  —  an  invocation  ej”*'  =  tnu(P,,  R-op,  O) 
and  its  matching  response  e"*  =  resp{Pi,  L-first,  O).  Then  H  contains  an  invocation 
Cj”"  =  inv{Pj,  R-op,  O)  such  that 

1.  cf "  <H  and 

2.  ej”"  has  no  matching  response  in  H . 

Proof  The  proof  of  this  claim  is  based  on  the  following  observations: 

01.  The  predicate  3fc  :  R[k]=:  1  is  stable:  that  is,  if  it  holds  in  some  configuration  of  an 
execution,  it  holds  in  every  subsequent  configuration  of  that  execution.  Furthermore, 
this  predicate  must  hold  before  a  response  can  occur  to  any  invocation  of  R-op. 

The  first  part  of  this  observation  follows  from  the  fact  that  once  a  1  is  written  to  a. 
register,  it  is  never  changed.  The  second  part  is  obvious  from  Statements  1  and  2  of 
the  implementation. 

02.  In  H,  let  k  be  the  smallest  integer  such  that  Pk  has  an  invocation  cy*’'  =  inv{Pk, 
R-op,  O)  and  Pk  writes  a  1  in  R[k].  Then  c’y*''  has  no  matching  response  in  H. 

To  see  this,  notice  that  after  writing  a  1  in  R[k],  Pk  enters  the  repeat  •  •  -  until  loop. 
This  loop  never  terminates  in  H  because  of  our  premise  that  k  is  the  smallest  integer 
such  that  Pk  writes  a  1  in  Thus  Pk  does  not  return  from  Apply (P*,  R-op,  O). 

03.  In  P,  if  a  process  P*  writes  1  in  P[fc]  after  an  invocation  ey*"  =  inv(Pk,  R-op,  O)  and 
before  its  matching  response,  then  ej,”*'  <h  ej”. 

Suppose  not.  Then  et*®  <fi  cy*".  After  the  invocation  ej,”'',  when  Pk  executes  State¬ 
ment  1  of  the  procedure  Apply(Pfc,  R-op,  O),  the  guard  'ik  :  ii[A:]=  0  evaluates  to 
false  (by  Ol).  Thus  Pk  returns  the  response  L-first  without  writing  into  P[fc].  This 
contradicts  the  premise  that  Pk  writes  1  into  R[k]  after  the  invocation  cy**'  and  before 
its  response. 

To  complete  the  proof  of  the  claim,  let  5  be  the  set  of  processes  that  invoke  R-op  on  O 
and  write  1  into  a  register  in  the  execution  E.  Since  H  contains  a  response  event  e”*,  by 
01,  5  is  non-empty.  Let  j  be  the  smallest  integer  such  that  Pj  €  5.  By  02,  P/s  invocation 
Cj""  of  R-op  on  O  has  no  matching  response  in  H.  By  03,  et""  <//  et'*.  Hence  the  claim. 
O 

Claim  4.3  Let  E  be  an  execution  of  (Pi,..  .,Pn',  CJ),  and  H  be  the  history  of  O  in  E.  H 
is  linearizable  with  respect  to  Tap,  initialized  to  state 


17 


Proof  If  H  has  no  response  events,  then  the  claim  is  trivial:  the  empty  sequence  is  a 
linearization  of  H  and  is  legal  from  state  Sx  of  Tap.  Assume,  therefore,  that  H  has  one  or 
more  response  events.  Let  e”*  =  re3p(Pi,  L-first,  O)  be  the  earliest  response  in  H .  Let 
ej'"'  be  the  invocation  whose  matching  response  is  There  are  two  cases: 

Case  1.  ej""  =  inv{Pi,  L-op,  O) 

This  corresponds  to  the  case  in  which  the  first  operation  to  complete  is  an  L-op 
operation  from  process  Pi.  Define  a  sequential  history  S  as  follows: 

1.  S  includes  all  complete  operations  in  H . 

2.  if  two  operations  op  and  op'  are  in  S,  op  <s  op'  if  and  only  if  response  of  op 
precedes  the  response  of  op'  in  H . 

It  is  obvious  that  (i)  5  is  a  linearization  of  H,  and  (ii)  S  is  legal  from  the  state  Sj,  of 

Tgp. 

Case  2.  ej""  =  inv{Pi,  R-op,  O) 

This  corresponds  to  the  case  in  which  the  first  operation  to  complete  is  an  R-op  from 
process  Pi.  By  Claim  4.2,  there  is  an  invocation  ej"''  =  inv(Pj,  R-opy  O)  such  that 
et""  <-1/  ef®*  and  e*""  has  no  matching  response  in  H.  Define  a  sequential  history  S 
as  follows: 

1.  5  includes  all  complete  operations  in  H,  and  tl  operation  where 

ej®*  =  resp{Pj,  R-first,  O). 

2.  The  operation  precedes  all  other  operations  in  S. 

3.  If  op  and  op'  are  operations  in  5  different  from  op  <s  op'  if  and  only 

if  the  response  of  op  precedes  the  response  of  op'  in  H. 

It  is  easy  to  verify  that  (i)  5  is  a  linearization  of  H,  and  (ii)  S  is  legal  from  the  state 
Si  ofTsp. 

Hence  the  claim.  □ 

Lemma  4.4  Figure  8  presents  a  1-trap  implementation  of  T,p,  initialized  to  Sx,  from 
register  for  processes  PxyP2,...,Pn- 

Proof  Follows  from  Claims  4.1  and  4.3.  □ 

Lemma  4.5  Figure  9  presents  a  0-trap  {wait-free)  implementation  o/Tgp,  initialized  to  Sr, 
from  register  for  processes  Pi,P2,...,Pn~ 

Proof  Let  E  be  an  execution  of  (PiyP2,. .  .,P„;0),  and  let  Hr  and  Ho  be  the  histories  of 
objects  R  and  O,  respectively,  in  E.  Let  Er  be  a  linearization  of  Hr,  which  is  legal  from 
the  state  0  of  register.  For  every  operation  op  €  Er,  define  /(op)  as  follows: 
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R:  binary  register  initialized  to  0 


Apply(P,.  L-op,  O) 

if  {R  =  0)  then 
TetuTn{R-first) 
else  return(L'yirst) 


Apply(Pi,  R-op,  O) 
R  :=  1 

Tetviia(L-first) 


Figure  9:  0-trap  implementation  of  Tap,  initialized  to  Sr,  from  register 


if  op  =  (tnu(P,,  read,  R),  Tesp{Pi,  0,  R))  then 
/(op)  =  {inv(Pi,  L~op,  O),  reapiPi,  R-first,  O)) 
else  if  op  =  (inv(p,  read,  R),  resp(Pi,  1,  R))  then 
/(op)  =  (inu(P,-,  L-op,  O),  resp{Pi,  L-first,  O)) 
else  if  op  =  (tnv(Pj,  write  1,  R),  resp{Pi,  ack,  R))  then 
/(op)  =  {inv{Pi,R-op,  O),  resp{Pi,  L-first,  O)) 

Define  a  sequential  history  as  follows: 

1.  For  every  operation  op  €  Hr,  include  /(op)  in  Ho- 

2.  If  op,  op'  €  Hr  and  op  op',  then  /(op)  <So  f{op'). 

It  is  easy  to  verify  that  Ho  is  a  Unearization  of  Ho,  and  is  legal  from  the  state  Sr  of  Tap. 
□ 

Lemma  4.6  Figure  10  presents  a  0-trap  {wait-free)  implementation  of  Tap,  initialized  to 
St,  from  register  for  processes  Pi ,  P2, . . . ,  P„. 

Proof  Obvious.  O 

Lemma  4.7  Any  wait-free  implementation  of  consensus  from  {Tap,  register}  for  n  pro¬ 
cesses  requires  at  least  n  —  1  objects  of  type  Tap. 

Proof  Follows  from  Lemma  4.3,  and  Claims  4.4,  4,5,  and  4.6.  O 

Corollary  4.2  hi(Tap)  =  2. 

Proof  By  Lemma  4.2,  hf(Tap)  >  2.  By  Lemma  4.7,  hi(Tap)  <  2.  Hence  the  result.  □ 
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Apply(P„  L-op,  O) 


Apply(-P„  R-op,  O) 


ietnTxi{L~first) 


letmn(L-first) 


Figure  10;  O-trap  implementation  of  Tgp,  initialized  to  Si, 


Theorem  4.1  is  neither  tight  nor  robust. 

Proof  Follows  from  Proposition  3.6  and  Corollaries  4.1  and  4.2.  □ 

Theorem  4.2  hi  is  neither  tight  nor  robust. 

Proof  From  the  definitions  of  hi  and  hj,  it  is  obvious  that,  for  all  types  T,  hi('i  )  <  hi(2'). 
In  particular,  hi(TBp)  <  h^(Tap)  =  2  <  oo  =  hJ(T*p).  Thus,  by  Proposition  3.6,  hi  is 
neither  tight  nor  robust.  O 


5  On  the  robustness  of  hm 

The  main  result  of  this  section  is  that  h«  is  not  robust.  We  prove  this  result  by  presenting 
an  infinite  family  tJ<i,  k  €  {2, 3, 4, . . .}  U  {oo},  of  object  types  with  the  following  properties: 

1.  There  is  an  implementation  of  consensus  from  {tJ^,  register)  for  k  processes,  but 
not  for  A  +  1  processes. 

2.  There  is  no  implementation  of  consensus  from  for  two  processes. 

Property  (1)  implies  that  hJ(Tj[<i)  =  k.  Property  (2)  implies  that  hB(Tj[^)  =  1.  Thus, 
h,  ^  hJ,  and  by  Proposition  3.6,  h«  is  not  robust.®  This  result  is  significant  in  the  following 
sense.  Registers  by  themselves  are  too  weak  to  solve  even  2-process  consensus.  So  are 
objects.  Combining  these  two  types,  however,  lets  us  solve  consensus  among  any  number 
of  processes! 

The  object  type  t|[,i  is  specified  in  Figure  11.  In  this  specification,  choose{S}  is  assumed 
to  choose  an  element  from  set  S  non-deterministicaUy  and  return  it.  Notice  that  upset  and 
ahead[i]  are  stable:  once  true,  they  remain  true.  Similarly,  once  decision  6  {0,1},  it  does 
not  change. 

*A  single  member  of  the  family  is  sufficient  to  establish  that  ha  is  not  robust.  The  existence  of  an 
entire  family  shows  that  there  is  not  even  a  coarsening  of  ha  which  is  non-trivial  and  robust. 
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51.  su)>ports  operations  in  {op(i)|t  =  {0,1}}  U  {give*decision(t,6))i  €  {0,1}, 6  G 
{true,  false}}. 

52.  The  response  for  op(0)  or  op(l)  is  always  ack.  The  response  for  give“decision(  — ,  -) 
is  either  0  or  1. 

53.  The  state  of  is  represented  by  the  variables  no,ni,ngd  ‘  integer;  decision  € 

{±,0,1};  ahead[0..i\,  upset  :  boolean.  Informally,  no,ni,ngd  count  the  number  of 
executions  of  op(0),  op(l),  and  give-decision,  respectively.  The  variable  ahead[i] 
is  set  to  true  if  n,-  >  0  and  nj-  =  0  when  give-decision(i, -)  is  executed.  The 
variable  upset  is  set  to  true  if  one  of  the  following  happens:  (i)  op(l)  is  executed 
more  than  once  (op(0)  may  be  executed  any  number  of  times  without  upsetting  a 
object);  (ii)  give-decision  is  executed  more  than  k  times;  (iii)  give-decision(t,  -) 
is  executed  with  no  prior  execution  of  op(t);  (iv)  give-deciBion(i,  true)  is  executed 
with  no  prior  execution  of  op(t);  (v)  give-decision(i, /else)  is  executed  and  ahead 

=  true.  If  upset,  a  object  returns  0  or  1  non-deterministically  to  an  invocation 
of  give-decision.  If  not  upset,  it  sets  decision  irrevocably  and  non-deterministically 
(if  not  already  set)  to  0  or  1  such  that  njedsion  >  0,  and  returns  decision.  See  S5 
below  for  a  formad  sequential  specification  of  TSd- 

54.  The  state  of  corresponding  to  (no  =  ni  =  n^j  =  0;  decision  =  ±;  aAead[0..l]  = 
upset  =  false)  is  known  as  the  fresh  state.  The  states  of  are  only  those  that  are 
reachable  from  the  fresh  state  by  the  following  specification. 

55.  The  sequential  specification  of  is  as  follows: 

op(i)  /*  ie{0,l}  */ 

n,  :=  n,  -f  1 

if  ni  >  1  then  upset  :=  true 
letuin(ack) 

giv0-deci8ion(i,  other~is~ahead)  /*  iG{0, 1},  other-is-akead:  boolean  */ 

n^d  • —  "b  1 

if  (ni  >  0  A  nj  =  0)  then  o/icodji]  :=  true 

if  {ngd  >  k)y  (n,’  =  0)  V  (a/ieodp]  A  -'Other-is-ahead)  V  (nj-  =  0  A  other-is-ahead)  then 
upset  :=  true 
if  upset  then 

retura(cAoosc({0, 1})) 
ebe  if  decision  —  1  then 

decision  :=  choos€{{j\nj  >  0}) 
return(decision) 


Figure  11:  Object  type  T||ji 
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an  implementation 


5.1  consensus  from  register}  — - 

In  this  section,  we  show,  for  k  £  {2,3, . . .}  U  (oo),  how  to  implement  a  consensus  object  for 
k  processes  using  only  objects  and  registers.  Our  implementation  is  recursive.  Let  J* 
denote  the  implementation  of  consensus  from  register}  for  processes  Pi,P2,. . Pn- 
The  baise  case  is  to  derive  Jq,  implementation  of  consensus  for  an  empty  set  of  processes, 
and  is  vacuous.  The  recursive  step  of  deriving  I*  from  Pn-\  presented  in  Figure  12. 

The  implementation  J*  works  as  follows.  Processes  P^  . . .  P^  split  into  two  groups,  Gq 
and  G\.  Group  Gq  has  Pi . .  .Pn_i,  and  group  Gi  has  just  P„.  Processes  P\  . .  .Pn-x  do 
consensus  among  themselves  (recursively)  and  announce  the  outcome  in  i?[0].  Process  P^ 
announces  its  input  value  in  i2[lj.  The  rest  of  the  protocol  resolves  which  of  the  two  groups 
is  the  winner.  If  Gq  wins,  every  process  decides  the  value  in  iil[0].  Similarly,  if  G\  wins, 
every  process  decides  the  value  in  i?[l].  The  object  Ond  is  used  to  determine  the  winner 
of  the  two  groups.  Processes  Pi . . .  Pn~i  perform  the  operation  op(0)  on  Then  they 
set  the  register  /t'[0]  to  inform  process  P„  that  op(0)  has  been  executed  on  0„j.  Process 
P„,  on  the  other  hand,  performs  op(l)  on  and  then  sets  to  inform  processes  in 
Go  that  op(l)  has  been  executed.  Processes  then  perform  the  give-decision  operation. 
The  return  value  determines  the  winning  group.  For  this  strategy  to  work  correctly,  the 
arguments  of  the  give-decision  operation  must  be  such  that  the  Ond  object  does  not  get 
upset.  We  urge  the  reader  to  understand  how  the  registers  i2'[0..1]  are  used  to  ensure  that 
Ond  does  not  get  upset.  Finally,  if  Ond  returns  v,  a  process  assumes  that  the  group  Gv  won 
and  decides  the  value  in  iiji’]. 

Lemma  5.1  For  I  <  n  <  k,  the  implementation  In  Figure  12  is  a  correct  implementa¬ 
tion  of  consensus  from  register)  for  processes  Pj,  f’2, .  •  • ,  Pn- 

Proof  Sketch  By  induction.  Assume  that  is  correct.  Let  0„  be  a  derived  object 
of  the  implementation  in  Figure  12.  Consider  an  execution  E  of  the  concurrent  system 
{Pi,P2,..  .,Pn\On)  in  which  every  process  has  invoked  Apply(F,, propose  v,,Gn)  exactly 
once,  and  executed  it  to  completion.  The  key  claim  is  that  Ond  is  not  upset  in  E.  This 
follows  from  the  following  simple  observations; 

1.  op{l)  is  e  tecuted  only  once. 

2.  For  V  €  {0, 1},  op(v)  is  executed  before  executing  give-decision(i’,  -). 

3.  give-decision  is  executed  no  more  than  n  times.  Since  n  <  k,  give-decision  is 
executed  no  more  than  k  times. 

4.  Suppose  op(v)  is  ahead  ofop(v).  That  is,  the  operations  op(t))and  then  give-decision(u, 
are  completed  before  the  first  invocation  of  op(1;).  Then,  the  use  of  the  registers 
J?'[0..l]  in  the  implementation  guarantees  that  when  a  process  invokes 
give-deci8ion(t7,  other-ahead),  the  second  parameter,  namely,  other-ahead,  is  true. 
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base  objects  of  the  implamentation 

0„_i :  consensus  object  for  P\,P2,  ■  ■  -  ,  Pn-ii  derived  from  In-\ 
Ond'.  object,  initialized  to  the  fresh  stale 
binary  registers 

jR'[0..1];  boolean  registers,  initialized  to  false 


local  variables  of  process  Pj 
di,winneTi  6  {0, 1} 
other-aheadi:  boolean 

Apply(fi,  propose  Vj,  On)  (for  1  <  «  <  n  -  1) 

1.  di:=  Apply( Pi,  propose  Vi,  0„_i) 

2.  P[0]  :=  di 

3.  Apply(Pi,op(0),O„d) 

4.  P'[0]  :=  true 

5.  other-aheadi  :=  i2'[l] 

6.  winneri  := 

Apply(Pi,  give*deci8ion(0,  other-aheadi),  0„d) 

7.  return(P[«;tnncri]) 


Apply(Pn,  propose  Vn,  On) 

dn  :=  Vn 

R[l]  :=  d„ 

Apply(P„,op(l),Oni) 

P'[l]  :=  true 
other-ahead^  ■=  P^[0] 
winner„  := 

Apply(P„,give-daciBion(l,ot/ier-a/ieadn).Ond 
return(  /tfivinnernj) 


Figure  12;  Implementing  consensus  from  {tJJj,  register} 


5.  Suppose  no  process  completes  the  operation  op(v)  before  some  process  invokes 

giv&-deciBion(v, other-ahead).  Then  the  use  of  the  registers  R'{0..1]  in  the  imple¬ 
mentation  T*_i  guarantees  that  the  second  parameter  of  give-decision,  namely, 
other-ahead,  is  false. 

Since  Ond  is  not  upset  in  E,  by  the  specification  of  T^jj,  we  have; 

1.  Every  give-decision  operation  on  Ond  returns  the  same  binary  response.  Let 
winner  6  {0, 1}  denote  this  response. 

2.  Some  process  Pj  invokes  op(winner)  before  0„d  returns  winner  for  the  first  time  to 
a  give-decision  operation. 

From  the  implementation,  it  is  clear  that  Pj  writes  the  value  dj  in  R[winn€r]  before  invoking 
Qp(winn€r).  Furthermore,  once  a  value  is  written  by  a  process  into  a  register  ii[0]  or 
the  value  of  that  register  never  subsequently  changes.  For  J?[0],  this  follows  from  the 
agreement  property  of  0^_i,  and  for  ii[l],  this  follows  from  the  fact  that  only  P„  writes 
il[l]  and  writes  it  only  once. 

The  above  implies  that  for  all  i,  Apply(/\, propose  Vi,  (!?„)  returns  dj.  Thus,  On  satisfies 
agreement.  If  j  =  n,  then  dj  =  =  t;„,  and  thus,  On  satisfies  validity.  If  j  n,  by  the 

validity  of  On-i,  dj  6  Thus,  On  satisfies  validity.  It  is  obvious  that  the 

implementation  is  wait-free.  This  concludes  the  proof  of  correctness  of  I*.  □ 

5.2  consensus  from  {Tn<j,  register}  —  an  impossibility  result 

In  this  section,  we  prove  that  objects  and  registers  do  not  suffice  to  implement  a 
consensus  object  for  A:  -|-  1  processes.  This  impossibility  result  follows  from  a  straight 
forward  bivalency  argument.  The  intuition  behind  why  this  impossibility  result  holds  for 
A  -t- 1  processes,  but  not  for  k  processes,  is  as  follows.  As  we  have  seen,  object  supports 
two  kinds  of  operations:  op  and  give-decision.  The  operation  op(»)  does  not  return  any 
useful  information  to  the  invoking  process.  This  is  due  to  the  fact  that  the  response  of  op(t) 
is  always  ack.  The  operation  give-decision  does  return  useful  information,  but  only  to 
the  first  k  invocations  of  the  operation.  Thereafter,  its  response  is  non-deterministic  and 
hence  is  not  helpful.  Thus,  k  processes  may  gain  useful  information  from  a  object,  but 
i  -I-  1  processes  cannot.  We  now  proceed  to  prove  the  impossibility  result. 

Let  be  a  deterministic  object  type  whose  specification  is  defined  by  replacing  every 
expression  of  the  form  choo3e{S)  in  Figure  11  by  min{S).^  Thus,  tJ  is  a  deterministic 
restriction  of  Hence,  if  a  history  of  an  object  is  linearizable  with  respect  to  T§,  then  it 
is  a  fortiori  linearizable  with  respect  to  We  prove  below  that  xj  objects  and  registers 
do  not  suffice  to  implement  a  consensus  object  for  A:  1  processes.  This  trivially  implies 
that  objects  and  registers  cannot  implement  a  consensus  object  for  A:  -f  1  processes. 

^min(5)  is  the  minimum  element  in  set  5. 
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As  mentioned,  the  proof  uses  a  simple  bivalency  argument.  Since  bivalency  arguments 
are  standard,  our  definitions  and  the  proof  are  informal.  A  configuration  C  of  a  concurrent 
system  is  v-valent  (for  v  €  {0,1})  if  there  is  no  execution  from  C  in  which  v  is  decided 
by  some  process.  In  other  words,  once  the  system  is  in  configuration  C,  no  matter  how 
processes  are  scheduled,  no  process  decides  iJ.  A  configuration  is  monovalent  if  it  is  either 
0- valent  or  1-valent.  A  configuration  is  bivalent  if  it  is  not  monovalent.  If  is  a  finite 
execution  of  a  system  <S  started  in  configuration  C,  E{C)  denotes  the  configuration  of  S  at 
the  end  of  the  execution  E.  For  the  purposes  of  this  section,  a  step  of  a  process  P  consists 
of  invoking  an  operation  on  an  object  O,  receiving  the  response  from  O,  and  making  an 
appropriate  change  in  its  state. 

Lemma  5.2  For  all  k  e  {2,3,...},  there  is  no  implementation  of  consensus  from  {T|,  register} 
for  A:  +  1  processes. 

Proof  Assume  I(0i,02, . . . ,  On)  is  an  implementation  of  consensus  from  {T^,  register} 
for  processes  Pi ,  Pj,  •  •  • ,  Pt+i  •  Let  O  =  I{Oi  ,02,...,  On).  Consider  the  concurrent  system 
S  =  (PijPj,  . . .,  Pfe+i;  O).  Let  Co  be  the  initial  configuration  of  iS.  Assume  that  in  Co,  each 
process  P,-  is  about  to  execute  Apply(P,,proposev,,  C).  Furthermore,  assume  that  there  are 
l,m  {I  <  l,m  <  k  +  1)  such  that  vj  =  0  and  «„  =  1- 

When  Pi  runs  by  itself  from  Co,  the  validity  and  wait-freedom  of  O  require  that  Pi 
decide  tij  =  0.  Similarly,  when  Pm  runs  by  itself  from  Co,  it  decides  Vm  =  0.  Thus,  Co  is 
bivalent.  Let  E  be  an  execution  from  Co  such  that  (1)  Ccrit  =  E(Co)  is  bivalent,  and  (2) 

For  all  P,-,  if  P,  takes  a  step  from  Ccr.t,  the  resulting  configuration  is  monovalent.  Let  S„ 
be  the  set  of  processes  whose  step  from  C„n  results  in  a  v- valent  configuration.  Since  Ccrit 
is  bivalent,  neither  Sq  nor  S\  is  empty.  Furthermore,  5o  H  5i  =0  and  |So U  Si]  =  k  •+•  1  >  3 
(since  k  >  2).  Without  loss  of  generality,  assume  that  |5oI  >  2  and  |5i|  >  1.  In  particular, 
let  5o  =  {/f,  P2, ...,  P^}  and  Si  —  {Pi  ,P2 , . .  -  ,  P/},  where  r  >  2  and  s  >  1. 

By  a  standard  argument,  the  enabled  step  of  every  process  in  configuration  Ccrit  must 
be  on  the  same  base  object  O  of  O.  Furthermore,  again  by  a  standard  argument,  O  is  not  a 
register.  Thus,  the  enabled  step  of  every  process  in  configuration  Ccrit  is  on  0,  an  object  of 
type  T$.  Let  Sj  and  a}  denote  the  enabled  steps  of  and  P’ ,  respectively,  in  configuration 
C'crit-  CoD‘’'’der  the  following  scenarios  So  and  Sj,  each  starting  from  the  configuration  Ccrit- 

•  In  Scenario  So,  P®  takes  the  step  a®-  Then,  Pi  takes  a  step.  Let  I?o  be  the  resulting 
configuration.  Clearly  /?o  is  a  0-valent  configuration. 

•  In  Scenario  Si,  Pj  takes  the  step  s|.  Then,  takes  a  step.  Let  Bi  be  the  resulting 
configuration.  Clearly  Ei  is  a  l-vaJent  configuration. 

Processes  Ff  distinguish  Scenario  So  from  Scenario  Si,  since  they  must 

decide  0  in  (every  extension  of)  So,  and  decide  1  in  (every  extension  of)  Si-  Observe  that 
unless  the  operation  applied  by  F^  (resp.  P/)  in  step  a®  (resp.  a})  is  a  give-decision 
operation,  it  must  eventually  apply  a  give-decision  operation  on  O  in  order  to  distinguish 
So  from  Si-  Thus,  we  extend  Scenarios  So  and  Si  as  follows: 
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•  If  the  operation  applied  by  on  (9  in  step  Sj  ‘s  not  a  give-decision  operation, 
run  P2  (in  both  scenarios)  exactly  until  completes  a  step  in  which  it  applies  a 
give-decision  operation  on  O. 

•  If  the  operation  applied  by  Pj  on  0  in  step  s}  is  not  a  give-decision  operation, 
run  Pj  (in  both  scenarios)  exactly  until  P/  completes  a  step  in  which  it  applies  a 
give-decision  operation  on  O. 

A  process  P  €  {Pi, . .  .,Pfc+i}  -  {jFf  }  has  to  distinguish  Scenario  So  from  Scenario 

Si,  since  P  must  decide  0  in  (every  extension  of)  So,  and  decide  1  in  (every  extension  of)  Sj. 
Observe,  however,  that  P  cannot  distinguish  So  from  Sj  until  it  applies  a  give-decision 
operation  on  O.  Thus,  we  extend  Scenarios  So  and  Si  as  follows: 

•  For  each  P  e  {Pi, . . Pfc+i}  —  {ff,-F?,  run  P  (in  both  scenarios)  exactly  until 
P  completes  a  step  in  which  it  applies  a  give-decision  operation  on  O. 

We  make  the  following  observations:  (1)  The  process  Pf  is  in  the  same  state  in  Scenarios 
So  and  Si.  (2)  Every  base  object  except  O  is  in  the  same  state  in  So  and  Si.  (3)  In  both  So 
and  Si,  a  gi\ e-decision  operation  is  appUed  on  O  at  least  k  times  (once  by  each  process 
in  {Pi, . .  .,Pjt+i}  -  {P^},  in  the  execution  from  Ccru)-  The  second  observation,  together 
with  the  specification  of  T^,  implies  that  every  subsequent  give-decision  operation  on  O 
returns  0  in  either  scenario.  Extend  Scenarios  So  and  Si  by  letting  Pf  run  by  itself.  By  the 
above  observations,  cannot  distinguish  whether  it  is  running  in  So  or  Si.  Yet  it  must 
decide  0  in  So  and  1  in  Si.  This  is  impossible.  Hence  the  lemma.  O 

Corollary  5,1  For  all  fc  G  {2,3, ...}  U  {00},  1^(1*^)  =  k. 

Proof  Follows  from  Lemmas  5.1  and  5.2.  □ 

5.3  ha  is  not  robust 

In  this  section,  we  prove  that  ha(Tn<i)  =  1-  Thus,  b.  is  different  from  hj  and,  hence,  is  not 
robust.  We  begin  with  a  simple  technical  lemma  that  will  be  useful  in  proving  hB(T^j)  =  1. 
The  lemma  states  that  it  is  trivial  to  implement  initialized  to  any  state  different  from 
the  fresh  state.  In  the  following,  let  <t[u]  denote  the  value  of  state  variable  v  in  state  <t. 

Lemma  5.3  Let  a  he  any  state  of  T|[d  different  from  the  fresh  state.  Figure  IS  is  an 
implementation  ofl^^,  initialized  to  a,  from  0.® 

Proof  If  <7  is  different  from  the  fresh  state,  then  it  is  easy  to  verify  that 

{a[decision]  €  {0, 1})  V  (afno]  >  0)  V  (<T[ni]  >  0)  V  {T[upset].  From  this  and  the  specification 

of  Tn<j,  the  correctness  of  the  implementation  is  obvious.  □. 

‘Thus,  the  implementation  requites  no  base  objects,  not  even  registers. 
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op(0 

return(acfc) 


giYe-daci8ion(t,  b) 

if  a[decision]  €  {0,1}  then 
return(<T[deciszon]} 
else  if  (alupset]  V  o'[no]  >  0)  then 
return(O) 
else  return(l) 


Figure  13:  Implementing  T{[^,  initialized  to  a  non-fresh  state  a 


The  following  lemma  states  that  it  is  impossible  to  implement  a  consensus  object  for 
two  processes  using  just  objects.  Intuitively,  objects  are  so  weak  that  a  process 
cannot  use  these  objects  to  leave  its  “foot  marks”  behind.  Thus,  if  a  process  Pq  runs  first, 
and  then  a  different  process  Pi  runs.  Pi  does  not  realize  that  Pq  ran  before  it  started. 
This  can  cause  P\  to  decide  a  value  which  is  not  consistent  with  the  decision  of  Pq.  The 
proof  below  formalizes  this  argument.  The  details  of  the  argument  are  subtle  due  to  the 
non-determinism  of  the  objects. 

Lemma  5.4  For  all  k  £  {2, 3, , . U  (oo),  h*(Tjd)  =  1. 

Proof  To  prove  this  lemma,  we  must  show  that  it  is  impossible  to  implement  a  consen¬ 
sus  object  for  two  processes  using  just  objects.  We  show  this  by  contradiction.  Let 
I(0i,02,. .  •lO'n)  be  an  implementation  of  consensus  from  for  processes  Pq  and  Pi, 
which  is  resource  optimal:  i.e.,  if  I'  is  another  implementation  of  consensus  from  for 
two  processes,  then  I'  requires  at  least  n  base  objects.  From  Lemma  5.3,  it  follows  that 
every  base  object  of  T  is  initiabzed  to  the  fresh  state. 

Consider  a  derived  consensus  object  O  of  the  implementation  J.  Let  Oi,  02> .  • . ,  On  be 
the  base  objects  of  O.  In  other  words,  O  =  X(0i,02,--  ■,On)-  In  the  following,  we  present 
two  scenarios.  So  and  Si,  which  are  indistinguishable  to  Pi,  but  require  Pi  to  take  different 
actions. 

In  Scenario  So,  Po  invokes  Apply(Po, propose  0, 0)  and  executes  it  to  completion.  (Exe¬ 
cution  to  completion  is  possible  since  J  is  a  wait-free  implementation.)  Assume  that  during 
tho  execution  of  Apply(Po,  propose  0,0),  every  base  object  behaves  like  a  object.  That 
is,  the  history  of  each  base  object  in  the  execution  of  Apply( Pq,  propose  0, 0)  is  linearizable 
with  respect  to  tJ.  We  will  refer  to  this  as  Assumption  Al.  By  the  validity  property  of 
O,  Apply(Po,  propose  0, 0)  returns  0.  Let  S  be  the  set  of  base  objects  which  are  in  the 
fresh  state  in  Scenario  So  at  the  completion  of  Apply{Po,  propose  0,0).  Continue  Scenario 
So,  and  begin  Scenario  Si,  by  letting  Pi  invoke  Apply  (Pi,  propose  1, 0)  and  run  by  itself  in 
either  scenario.  (See  Figure  14  for  a  depiction  of  Scenarios  So  and  Si.)  Assume  that  each 


Scenario  So 


Pq  executes _ 

Apply  (Pq,  propose  0, 0) 


Pi  executes 
Apply(  Pi ,  propose  1,0) 


Scenario  Si 


Pi  executes 
Apply  (Pi,  propose  1,0) 


TIME 


Figure  14;  Scenarios  So  and  Si 


base  object  in  S  behaves  deterministically,  consistent  with  tJ,  in  both  scenarios.  We  will 
refer  to  this  as  Assumption  A2.  We  prove  the  following  statement  inductively;  the  base 
objects  in  {0i,02, . .  .,0„}  -5  can  choose  among  the  non-deterministic  alternatives  (when 
applicable)  such  that  for  all  i  >  0,  Pi  cannot  distinguish  S©  from  Si  in  t  steps.  The  base 
case  for  i  =  0  is  trivial.  To  prove  the  induction  step,  assume  the  hypothesis  for  i  <  m. 

Consider  the  (m  + 1)**  step.  Let  oper  be  the  operation  that  Pi  performs  in  this  step  in 
Scenario  So,  and  let  O  be  the  base  object  on  which  it  performs  oper.  From  the  induction 
hypothesis  and  the  fact  that  the  implementation  is  deterministic,  it  follows  that  Pi  performs 
oper  on  O  in  its  (m  +  1)*‘  step  in  Scenario  Si  too. 

Suppose  oper  €  {op(0),op(l)).  Then,  the  response  is  ack  in  either  scenario.  Thus,  So 
and  Si  remain  indistinguishable  to  Pi  after  m  +  1  steps.  Hence  the  induction  step. 

Suppose  that  oper  is  give-decision(— ,— ).  We  make  a  case  analysis  to  prove  the 
induction  step. 

Case  0.  O  £  S 

O  is  fresh  in  both  S©  and  Si  just  before  the  invocation  of  Apply(Pi, propose  1,0). 
For  So,  this  follows  from  the  definition  of  S,  and  for  Si,  from  the  fact  that  every  base 
object  is  initialized  to  the  fresh  state.  By  Assumption  A2, 0  behaves  deterministically 
(consistent  with  T*)  in  both  scenarios.  The  above  facts,  together  with  induction 
hypothesis,  guarantee  that  (i)  O  is  in  the  same  state  in  both  scenarios  at  the  end  of 
m  steps  of  Pi,  and  (ii)  O  returns  the  same  response  to  oper  in  both  scenarios.  Thus, 
So  and  Si  remain  indistinguishable  to  Pi  after  m  +  1  steps.  Hence  the  induction  step. 


Case  1.  Case  0  does  not  apply  and  the  following  holds:  In  at  least  one  of  So  and  Si,  0  is  upset 
in  the  first  m  +  1  steps  of  P\ . 

Let  Si  be  a  scenario  in  which  O  is  upset  in  the  first  m  +  1  steps  of  Pj.  By  the 
specification  of  0  is  free  to  return  0  or  1  to  oper  in  Scenario  Si.  Suppose  that  O 
uses  this  freedom  and  returns  the  same  response  to  oper  in  Si  as  it  does  in  Sj.  Then 
So  and  Si  remain  indistinguishable  to  Pi  after  m  +  1  steps.  Hence  the  induction  step. 

Case  2.  Neither  Case  0  nor  Case  1  applies.  In  other  words,  O  is  not  fresh  in  So  just  before 
the  invocation  of  Apply(Pi, propose  1,0)  and,  in  both  So  and  Si,  0  is  not  upset  at 
the  end  of  m  +  1  steps  of  Pi . 

We  prove  the  induction  step  by  contradiction.  Assume  that  it  is  not  possible  to  keep 
Scenarios  So  and  Si  indistinguishable  to  Pi  at  the  end  of  m  +  1  steps.  We  will  refer 
to  this  as  Assumption  A3.  We  arrive  at  a  contradiction  after  a  series  of  claims.  Let 
ctq  and  o’*  denote  the  state  of  O  at  the  end  of  k  steps  of  Pi  in  Scenarios  So  and  Si 
respectively. 

Cl.  (T^[ngd]  =  0.  In  other  words,  Pi  does  not  apply  a  give-decision  operation  on 
O  in  its  first  m  steps. 

Suppose  that  the  claim  is  fzdse.  Let  k  <  m  he  the  smallest  integer  such  that 
<Ti[ngd]  —  1-  That  is,  give-decision  is  executed  on  0  for  the  first  time  by 
Pi  in  its  step  in  Scenario  Si.  Since  O  is  not  upset  in  Si,  this  implies 
that  (Tildecision]  €  {0,1),  and  this  value  is  returned  by  O  in  the  step  of 
Pi  in  Si.  By  inductive  hypothesis,  the  same  value  cri[decision]  is  returned  by 
O  in  the  step  of  Pi  even  in  So-  Since  O  is  not  upset  in  So,  this  implies 
that  (Tgldecision]  =  <Ti[deciston].  Since  decision  is  irrevocable,  it  follows  that 
a^ldecision]  =  Cq [decision]  =  <ri  [decision]  =  er'^ldecision]  6  {0, 1).  Since  O  is 
not  upset  in  either  scenario,  the  responses  <r”[decision]  and  oj" [decision]  of  O  to 
oper  in  Scenarios  So  and  Si,  respectively,  are  identical.  Thus,  So  and  Si  remain 
indistinguishable  to  P\  after  m  +  1  steps.  This  contradicts  Assumption  A3. 

C2.  There  is  a  v  €  {0, 1}  such  that  o-“[n„]  >  0  and  orj™[njr]  =  0.  In  other  words,  Pi 
executes  op(v),  but  not  op(t?)  in  its  first  m  steps  in  Si. 

Suppose  ^["[no]  =  ==  0-  Then,  by  the  specification  of  Tjjj,  when  Pi  applies 

oper  =  give-dacision(— ,  — )  in  the  (m  +  1)*'  step  in  Si,  it  upsets  O.  This 
contradicts  the  case  we  are  considering.  Suppose  oj"[no]  >  0  and  o‘j"[ni]  >  0. 
Since  (r^[ngd]  =  0  (by  Cl),  by  the  specification  of  O  is  free  to  return  either 
0  or  1  in  Si.  Suppose  that  O  uses  this  freedom  and  returns  the  same  response  to 
oper  in  Si  as  it  does  in  Sq.  Then  So  and  Si  remain  indistinguishable  to  Pj  after 
m  +  1  steps.  This  contradicts  Assumption  A3. 

C3.  Pi  executes  op(u)  on  O  at  least  once  in  its  first  m  steps  in  So. 

Follows  from  C2  and  the  induction  hypothesis. 

C4.  oper  =  give-decision(v,/ais€). 

Suppose  oper  =  give-decision(v,  — )  or  oper  =  give-deci8ion(u,true).  Since 
o^[n^]  =  0  (by  C2),  0  wUl  be  upset  in  Si  when  oper  is  invoked  in  the  (m  +  1)*‘ 
step.  This  contradicts  the  case  we  are  considering. 
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C5.  =  false. 

Suppose  cr^[a/iead[t)]]  =  true.  Then,  when  Pi  executes  oper  =  give-deci8ion(t;,  false) 
(guaranteed  by  C4)  in  its  (m  +  1)**  step  in  So,  it  upsets  O.  This  contradicts  the 
case  we  are  considering. 

C6.  V  =  1  implies  cro[ngj]  =  0.  In  other  words,  if  n  =  1,  then  Pq  never  executed  a 
give-decision  operation  on  O  in  So- 

Suppose  u  =  1  and  Pq  executed  giva-deci8ion(l, -)  on  0  in  So-  Since  0 
is  not  upset  in  So,  it  follows  that  Pq  executed  op(l)  on  0  before  executing 
give-deci8ion(l,— ).  By  C3  and  the  assumption  that  v  =  1,  Pi  executed  op(l) 
in  So.  Thus  op(l)  was  executed  at  least  twice  on  O  in  Sq.  By  the  specification 
of  O  would  be  upset  in  So-  This  contradicts  the  case  we  are  considering. 

Suppose  V  =  1  and  Pq  executed  give-dsci8ion(0, -)  on  O  in  So-  Since  O 
is  not  upset  in  So,  it  follows  that  Pq  executed  op(0)  on  O  before  executing 
give-deci8ion(0, -).  By  C5  and  the  assumption  that  v  =  1,  C7o'[a/iead[0]]  = 
false.  This  implies  that  Pq  executed  op(l)  on  O  before  executing  give-dBci8ion(0,  -). 
By  C3  and  the  assumption  that  v  =  1,  Pi  executed  op(l)  in  Sq.  Thus  op(l)  was 
executed  at  least  twice  on  O  in  Sq.  By  the  specification  of  t|[j,  O  would  be  upset 
in  Sq.  This  contradicts  the  case  we  are  considering. 

C7.  v  =  0. 

Suppose  u  =  1.  Then,  we  can  infer:  (1)  =  0  (by  Cl),  (2)  =  0 

(by  Cl,  induction  hypothesis,  and  C6),  (3)  >  0  (by  C2),  (4)  o'o‘[ni)  >  0 

(by  C3).  These  four  facts,  together  with  the  specification  of  imply  that  O 
is  free  to  return  0  to  oper  in  both  So  and  Si.  Suppose  that  O  does  this.  Then 
So  and  Si  remain  indistinguishable  to  Pi  after  m  -|-  1  steps.  This  contradicts 
Assumption  A3. 

C8.  O  returns  0  to  oper  (in  the  (m  -f  1)**  step  of  Pi)  in  Scenario  Si. 

C2  and  C6  imply  that  cr^jnol  >  0  and  o'i"[ni]  =  0.  Further,  by  the  case  we  are 
considering,  O  is  not  upset  in  the  first  m  +  1  steps  of  Pi  in  Scenario  Si.  The 
above  facts  imply  that  the  only  legal  value  that  O  can  return  to  oper  is  0. 

C9.  If  Pq  executed  give-deci8ion(l,  -)  on  O  (in  So),  it  did  so  only  after  executing 
op(0)  on  O. 

Suppose  Po  executed  givv'-decisioij(l,  -)  on  O  (in  So).  Since  O  is  not  upset  in 
So,  this  implies  that  Pq  executed  op(l)  on  0  before  executing  give-decision(l,  — ). 

If  Pq  did  not  execute  op(0)  before  executing  give-deci8ioii(l,  — ),  then  the  ex¬ 
ecution  of  give-deci8ion(0,  — )  would  set  ahead[l]  to  true.  This,  together  with 
the  fact  that  ahead[i]  is  stable,  implies  that  (To'[ohead[l]]  =  true.  This  contra¬ 
dicts  the  conjunction  of  C5  and  C7. 

CIO.  Every  execution  of  the  operation  give-deci8ion(-,— )  on  O  by  Pq  in  Scenario 
So  returns  the  response  0. 

Consider  the  earliest  execution  e  of  give-deci8ion(u;,  -)  on  O  by  Pq  in  Sq.  If 
tu  =  1,  C9  implies  that  Pq  executes  op(0)  before  e.  If  u;  =  0,  the  fact  that  O  is 
not  upset  in  S©  implies  that  P©  executes  op(0)  before  e.  Thus,  we  conclude  that 


Pq  executes  op(0)  before  e.  This,  together  with  Assumption  Al,  implies  that  e 
returns  0.  From  this  and  the  fact  that  O  is  not  upset  in  So,  it  follows  that  every 
execution  of  give-dacision(-,  — )  on  0  in  So  returns  the  response  0. 

Cll.  Po  never  executes  give-decision(— ,  — )  on  O  (in  So). 

Suppose  that  the  claim  is  false.  Then,  from  CIO  and  the  fact  that  O  is  not  upset 
in  So,  it  follows  that  0  returns  0  to  oper  in  the  (m  +  1)*‘  step  of  Pi  in  Scenario 
So.  Thus,  by  C8,  Sq  and  Si  remain  indistinguishable  to  Pj  after  m  +  1  steps. 
This  contradicts  Assumption  A3. 

We  have:  (1)  <rj"[no]  >  0.  This  follows  from  C3  and  C7.  (2)  <T”[no]  >  0.  This  follows 
from  (1)  and  induction  hypothesis.  (3)  =  0.  This  follows  from  Cl,  induction 

hypothesis,  and  Cll.  From  (2),  (3),  and  the  specification  of  tJJjj,  it  is  clear  that  0  is 
free  to  return  0  to  oper  (in  the  (m  +  1)*‘  step  of  Pi)  in  Scenario  So-  Suppose  that  it 
does.  Then,  by  C8,  So  and  Si  remain  indistinguishable  to  Pi  after  m  +  1  steps.  This 
contradicts  Assumption  A3.  Hence  the  induction  step. 

This  completes  the  proof  of  the  induction  step. 

Since  I  is  a  wait-free  implementation,  Apply( Pi, propose  1, 0)  terminates  in  So  after  a 
finite  number  of  steps,  returning  some  value  val  e  {0,1}.  Since  Si  is  indistinguishable  to 
Pi  from  So,  Apply  (Pi,  propose  1,0)  terminates  in  Si  after  the  same  number  of  steps,  also 
returning  val.  If  val  =  0,  validity  of  consensus  is  violated  in  Si.  If  val  =  1,  agreement  of 
consensus  is  violated  in  So.  Thus,  I  is  not  a  correct  implementation,  a  contradiction.  □ 

Theorem  5.1  is  neither  tight  nor  robust. 

Proof  Follows  from  Proposition  3.6,  Corollary  5.1,  and  Lemma  5.4.  □ 

6  Conclusion 

It  is  well  known  that  shared  primitives,  depending  on  their  type,  vary  widely  in  their  ability 
to  support  inter-process  synchronization.  Recent  research  focussed  on  analyzing  the  power 
of  individual  primitives.  In  this  paper,  we  ask  whether,  from  our  understanding  of  the  power 
of  the  individual  primitives,  we  can  infer  the  power  of  a  set  of  primitives.  For  instance,  is  it 
impossible  to  implement  a  universal  primitive  from  non-universal  primitives?  The  answer 
is  not  clear.  It  is  conceivable  that  clever  protocols  for  such  implementations  exist.  Besides 
being  of  theoretical  interest,  these  issues  have  implications  to  multi-processor  architectures. 
To  make  a  systematic  study  of  these  issues  possible,  we  define  the  property  of  robustness  for 
wait-free  hierarchies.  Contrary  to  popular  belief,  we  show  that  Herlihy’s  wait-free  hierarchy 
is  not  robust.  We  also  show  that  some  natural  variants  of  Herlihy’s  hierarchy  are  also  not 
robust.  This  raises  the  obvious  question  of  whether  there  is  a  non-trivial  robust  wait-free 
hierarchy  at  all.  We  do  not  know  the  answer  yet.  However,  we  observe  that  such  a  hierarchy, 
if  it  exists,  is  either  hj  or  some  coarsening  of  it.  Thus,  further  research  on  the  structure 


of  hj  is  essential  to  resolving  this  open  question.  As  explained  in  the  paper,  the  answer 
to  this  question,  regardless  of  whether  it  is  affirmative  or  negative,  has  useful  implications. 
We  close  with  the  conjecture  that  hj  is  not  robust. 
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